21 December 2017

Happy New (Security) Year!

As I realized that the year is almost over, I had a thought: wouldn’t it be great if we could get a crystal ball and see what the future holds for us? Although I would love to know about my personal life, it’s the cybersecurity world I’m referring to here! Alas, since that’s not possible, we will all have to settle on reading the reports coming out and talking about future “predictions” of the security realm. Predictions, even if sometimes don’t come exactly true, would still assist us in taking a certain direction.

As I embarked on the path of report reading, I came across a variety of very good sources. I knew that I would find the security vendors publishing reports that predict one year ahead (i.e. 2018). But no, I was after a more unpredictable and a more questionable future.

The one that grabbed my attention was ISF’s, which predicts two - three years ahead. I meticulously went through the one called “Threat Horizon 2019”. Apparently, Threat Horizon 2020 apparently is coming up around the corner! The three 2019 themes of “Disruption”, “Distortion”, and “Deterioration” didn’t really give me a warm and fuzzy feeling about the future. However, what I liked about it was that it linked threat trends to business impact (and this link, as we all know, is very hard to come by). I also really liked how each year they evaluated their previous predictions and mentioned if they had come true or they had not predicted correctly. In my humble opinion, this keeps them honest and keeps up their credibility.

From that report, I moved on to IDC’s “Worldwide Security Products and Services 2018 Predictions”. This one was for five years and contained 10 predictions. Here also, I was happy to find a link between the prediction and its impact. To my further despondency; the predictions from this report weren’t really positive either. The only positive forecast I could find was the fact that our threat detection capabilities are predicted to highly improve because of AI and automation.

Dragging my feet (in reality, I was dragging my eyes), I moved on to my last report. Forrester’s “Predictions 2018: Cybersecurity”, which was also an insightful read, covering six predictions for both security and risk professionals.

So, let me summarize for you what the common “predictions” were.

Ransomware and the business of “Digital Extortion” will continue (since it has proved to be very lucrative), and predicted to target PoS devices next. IoT attacks will change from an “I want to cause chaos” to “I want to make money” model, where attackers will target OT, medical devices and vehicles.

For 2018, additionally there will be a last-minute scrambling to meet GDPR requirements. Further to that, blockchain will become the foundational technology for several security functions. Adoption of Cloud is set to increase, where the “Cloud Admin will be the new Domain Admin” (I really liked this sentence from the Forcepoint 2018 Security Predictions report, another I read). While Crime-as-a-Service will continue, with Ransomware-as-a-Service coming in first place. Last, but not least, Workforce Monitoring (aka Workforce cyber defense) will continue because privacy requirements will not outweigh the need to monitor workforces (hint: start looking into UEBA technologies and approaches); although this was a contradicting statement between two reports, it was still food for thought.

But, do not despair – dear security specialist – and look at the bright side of things: the security world and the emerging threats will always keep us all on our toes with nary a day of boredom. It also unites us all in a common cause of mitigating cybersecurity risks and decreasing their business impact. I believe it’s great to be in this profession!

By this, I wish everyone a happy new “security” year and may next year bring us all more AI technologies, more skilled resources, more collaboration and hence a more safe and secure cyber world!

Comments

As I realized that the year is almost over, I had a thought: wouldn’t it be great if we could get a crystal ball and see what the future holds for us? Although I would love to know about my personal life, it’s the cybersecurity world I’m referring to here! Alas, since that’s not possible, we will all have to settle on reading the reports coming out and talking about future “predictions” of the security realm. Predictions, even if sometimes don’t come exactly true, would still assist us in taking a certain direction.

As I embarked on the path of report reading, I came across a variety of very good sources. I knew that I would find the security vendors publishing reports that predict one year ahead (i.e. 2018). But no, I was after a more unpredictable and a more questionable future.

The one that grabbed my attention was ISF’s, which predicts two - three years ahead. I meticulously went through the one called “Threat Horizon 2019”. Apparently, Threat Horizon 2020 apparently is coming up around the corner! The three 2019 themes of “Disruption”, “Distortion”, and “Deterioration” didn’t really give me a warm and fuzzy feeling about the future. However, what I liked about it was that it linked threat trends to business impact (and this link, as we all know, is very hard to come by). I also really liked how each year they evaluated their previous predictions and mentioned if they had come true or they had not predicted correctly. In my humble opinion, this keeps them honest and keeps up their credibility.

From that report, I moved on to IDC’s “Worldwide Security Products and Services 2018 Predictions”. This one was for five years and contained 10 predictions. Here also, I was happy to find a link between the prediction and its impact. To my further despondency; the predictions from this report weren’t really positive either. The only positive forecast I could find was the fact that our threat detection capabilities are predicted to highly improve because of AI and automation.

Dragging my feet (in reality, I was dragging my eyes), I moved on to my last report. Forrester’s “Predictions 2018: Cybersecurity”, which was also an insightful read, covering six predictions for both security and risk professionals.

So, let me summarize for you what the common “predictions” were.

Ransomware and the business of “Digital Extortion” will continue (since it has proved to be very lucrative), and predicted to target PoS devices next. IoT attacks will change from an “I want to cause chaos” to “I want to make money” model, where attackers will target OT, medical devices and vehicles.

For 2018, additionally there will be a last-minute scrambling to meet GDPR requirements. Further to that, blockchain will become the foundational technology for several security functions. Adoption of Cloud is set to increase, where the “Cloud Admin will be the new Domain Admin” (I really liked this sentence from the Forcepoint 2018 Security Predictions report, another I read). While Crime-as-a-Service will continue, with Ransomware-as-a-Service coming in first place. Last, but not least, Workforce Monitoring (aka Workforce cyber defense) will continue because privacy requirements will not outweigh the need to monitor workforces (hint: start looking into UEBA technologies and approaches); although this was a contradicting statement between two reports, it was still food for thought.

But, do not despair – dear security specialist – and look at the bright side of things: the security world and the emerging threats will always keep us all on our toes with nary a day of boredom. It also unites us all in a common cause of mitigating cybersecurity risks and decreasing their business impact. I believe it’s great to be in this profession!

By this, I wish everyone a happy new “security” year and may next year bring us all more AI technologies, more skilled resources, more collaboration and hence a more safe and secure cyber world!

About the (ISC)² Blog

As the certifying body for more than 125,000 cyber, information, software and infrastructure security professionals worldwide, (ISC)² believes in the importance of open dialogue and collaboration. (ISC)² established this blog to provide a voice to certified members, who have significant knowledge and valuable insights that can benefit other security professionals and the public at large.

The (ISC)² blog gives members a forum to exchange ideas and inspires a safe and secure cyber world by supporting the advancement of the information security workforce via a public exchange with a broad range of information security topics.

Whether an (ISC)² member chooses to participate in the (ISC)² blog is his or her own decision. The postings on this site are the author's own and don't necessarily represent (ISC)²'s positions, strategies or opinions. (ISC)² monitors the blog in accordance with the (ISC)² Blog Guidelines, but the bloggers are responsible for their own content – common sense and intelligence should prevail.

Other than links to the (ISC)² website, (ISC)² does not control or endorse any links to products or services provided in this blog and makes no warranty regarding the content on any other linked website.

Those who post comments to (ISC)² blogs should ensure their comments are focused on relevant topics that relate to the specific blog being discussed. (ISC)² reserves the right to remove any post or comment from this site. Should you find objectionable content in this blog, please notify us as soon as possible at blog@isc2.org